javax.annotation:javax.annotation-api:1.2 dependency for MP 1.2

[sst...@redhat.com]

So Kevin has pointed out that MP-JWT is bringing in a new Java EE dependency into the MicroProfile 1.2 release, so we need to be clear that is acceptable. We did have a discussion around the use of the security annotations a while ago when I brought up the fact that not relying on a web.xml descriptor did not allow the TCK tests to describe the security constraints. The consensus at that time was that we would use the Java EE security annotations, and introduce a @LoginConfig that corresponds to the web.xml login-config element since there was no existing annotation analog.

The javax.annotation:javax.annotation-api: is a small api that includes the following annotations. We would only be using these highlighted in blue:

[upstream-microprofile-jwt-auth 510]$ jar -tf ~/repository/javax/annotation/javax.annotation-api/1.2/javax.annotation-api-1.2.jar

javax/annotation/Generated.class

javax/annotation/ManagedBean.class

javax/annotation/package.html

javax/annotation/PostConstruct.class

javax/annotation/PreDestroy.class

javax/annotation/Priority.class

javax/annotation/Resource$AuthenticationType.class

javax/annotation/Resource.class

javax/annotation/Resources.class

javax/annotation/security/DeclareRoles.class

javax/annotation/security/DenyAll.class

javax/annotation/security/PermitAll.class

javax/annotation/security/RolesAllowed.class

javax/annotation/security/RunAs.class

javax/annotation/sql/DataSourceDefinition.class

javax/annotation/sql/DataSourceDefinitions.class

The point of this thread is to make sure there are no problems with the inclusion of that dependency in MicroProfile 1.2. Not everyone follows the MP-JWT discussions, so I'm raising this here to get yes/no votes.

If there is a decision to not use the @RolesAllowed, @DeclareRoles, @DenyAll and @PermitAll security annotations from javax.annotation-api, then we would have to introduce analogs for this in the MP-JWT API, just as we introduced the @LoginConfig.

[Kevin Sutter]

Scott,
It looks like the use of the javax.annotation package is only specified as part of the TCK.  Although I also see it referenced in your spec when talking about supporting Jwt-Auth in a container (app server) environment...

So, let me ask this...  If somebody were to take the Jwt spec and API and develop an implementation, would the use of the javax.annotations be a required aspect of the implementation?  Or, would it be an "implementation detail" depending the facilities provided by the implementor's environment?

If it's the former, then we do have to decide whether to introduce another formal dependency on Java EE (like we have for cdi, jsonp, and jaxrs).  If it's the latter, then we can just document this as a build and test dependency.

Thanks, Kevin

[sst...@redhat.com]

The dependency is the only way we have for a MicroProfile application to define security constraints as needed for use with MP-JWT, is to use the javax.annotation package security annotations. So, any MP-JWT implementation would have to depend on the javax.annotation package security annotations in order to parse the use of these annotations by the JAX-RS application to describe its security requirements. Essentially it is coming in as a required application dependency due to the fact that we have no other mechanism to describe security requirements. It is a required aspect of both the client JAX-RS application and any MP-JWT implementation. 

[Emily Jiang]

I don't see any problem with the dependency on javax.annotation-api. We just need to put on the list to be scanned and I don't see there will an issue. There is no point to reinvent wheels.

Emily

[Kevin Sutter]

:-)  Agree, Emily.  Same argument we used yesterday with the use of Config with FT... 

I don't see an issue with this new dependency either.  I just want to make sure that the community is okay with it and understands the dependency.

--  Kevin

[Kevin Sutter]

Scott,
While this discussion/vote continues, let's start the process of getting the CQ approval for javax.annotation 1.2.  No matter how this discussion turns out, it will be better to have this approval in our back pocket.  It looks like this has been previously approved by another project, so I will go ahead and create a piggyback CQ to get this done and out of the way.

Thanks!
Kevin

[John D. Ament]

Just to point out some peculiarity here.

javax.annotation 1.2 is required by CDI, however the CDI API doesn't actually rely on it.  The CDI spec does require it.  Any valid CDI implementation would require it as well.

I would actually recommend we consider adding javax.annotation 1.2 to the microprofile-bom.  Maybe not this release but a coming release.

John

[Kevin Sutter]

Yep, John, I had noticed that when I did the IP review for Config 1.0.  But, it looked like it was only referenced by the Javadoc, and the version that was brought in was from Geronimo (not the official javax version). 

But, I agree that we probably now include it with the microprofile-bom.  If we go ahead with this for JWT, then I can make that change for MP 1.2.

Thanks,

Kevin

--
You received this message because you are subscribed to a topic in the Google Groups "Eclipse MicroProfile" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/microprofile/x0pvNWjsH4s/unsubscribe.
To unsubscribe from this group and all its topics, send an email to microprofile+unsubscribe@googlegroups.com.
To post to this group, send email to microp...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/0b56651b-2849-40c5-bfbe-c2ef596167fd%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Emily Jiang]

+1 on John and Kevin!

Emily

To unsubscribe from this group and all its topics, send an email to microprofile...@googlegroups.com.

To post to this group, send email to microp...@googlegroups.com.

[Werner Keil]

Is there a recent BOM/POM with optional components aka using dependencyManagement for such libraries that are only used by certain components, or is it still the state it was in earlier?

Werner

[Kevin Sutter]

No, I haven't started any work towards the MP 1.2 release yet...  Except for the IP reviews, etc...

To unsubscribe from this group and all its topics, send an email to microprofile+unsubscribe@googlegroups.com.

To post to this group, send email to microp...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/9bff134a-42ba-46ae-98f9-5a8bb4fba96a%40googlegroups.com.

[Ondro Mihályi]

Hi all,

I'm quite in favor of adding javax.annotation to the list of MP dependencies, as it doesn't add any burden on implementers (no interfaces to implement, only a set of common annotations and an enum). Moreover, it should be already supported by MP 1.1 implementations because of the requirement to support it in MP Config 1.0

The annotation API isn't a mandatory dependency of Config. Only the @Priority annotation is used if detected in the application, just as a convenient way to specify priority of converters and avoid introducing custom annotation for it. With JWT, the annotations from the annotation API are more critical and it really doesn't make sense to reinvent the wheel and introduce custom annotations. Therefore adding the annotations API into MP makes sense.

If we agree on adding the annotation API as a MicroProfile dependency, then it can be set also as an explicit dependency of MP Config 1.1 - the CDI API artifact doesn't bring them as a dependency, although the specification supports some of the annotations if they are found on the classpath. It makes more sense to me to declare it as a dependency to make it available to app developers just with a single MP artifact.

P.S. The latest javax.annotation API artifact is 1.3 and not 1.2: http://search.maven.org/#artifactdetails%7Cjavax.annotation%7Cjavax.annotation-api%7C1.3%7Cjar

--Ondro

[Alasdair Nottingham]

I have to admit I assumed it was required by JAX-RS as I've used those annotations on my JAX-RS methods for access control in the past. 

Alasdair Nottingham

You received this message because you are subscribed to the Google Groups "Eclipse MicroProfile" group.
To unsubscribe from this group and stop receiving emails from it, send an email to microprofile...@googlegroups.com.

To post to this group, send email to microp...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/7044767e-6dc0-4367-9926-8c9c985a675c%40googlegroups.com.

[Kevin Sutter]

Ondro, 

Common Annotations 1.3 is Java EE 8...  Not going there yet... 

-- Kevin 

To unsubscribe from this group and all its topics, send an email to microprofile+unsubscribe@googlegroups.com.

To post to this group, send email to microp...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/7044767e-6dc0-4367-9926-8c9c985a675c%40googlegroups.com.